Release privacyIDEA 3.7.2

julio · July 5, 2022, 12:19pm

Hello community,

we release today a patch release of privacyIDEA

You can find the complete changelog at Github

Thank you for using privacyIDEA

Jose_Pereira · July 7, 2022, 6:07pm

Hi there,

It seems that passthru got broken on 3.7.2
On 3.7.1, I had a working policy with with passthru that’s not working anymore in 3.7.2.
I always received the message " The user as no token assigned", but the police has exactly that purpose, for users with no token.

tkx

cornelinux · July 7, 2022, 7:18pm

Thank you for reaching out.
I can not confirm, that passthru is broken. It basically works as expected.

However, user comparison has changed (see privacyidea/Changelog at master · privacyidea/privacyidea · GitHub). So it might be that you have a rare scenario where you have two users, that previously looked like on object, but are no recognized as two different user objects. And maybe your policy has certain conditions, that do not match anymore.

Jose_Pereira · July 7, 2022, 7:29pm

The Policy is very simple… the user from certain “User-Resolver” will always be passthru, there’s nothing else in the Policy. If for instance I change the the “Action” from passthru to passOnNoToken, I can see in the audit that the user match the Policy and go through, with passthru option, in the audit the user does not even match the Policy.

cornelinux · July 7, 2022, 8:09pm

Do you mind to share it? The Policy?

Also: You might want to take a look at your privacyidea.log in debug level and observe which user objects are identified. The log output will also contain information about user comparison (which is the only relevant code, that was changed)

Jose_Pereira · July 7, 2022, 8:29pm

Sorry, my bad… The test user password changed and I was always insisting in the old one. The error message “The user as no token assigned” took me to the wrong conclusions. After a coffee brake, everything got cleared. PASSTHRU works like a charm. Tkx

cornelinux · July 8, 2022, 5:16am

Thanks a lot for sharing this clarification.

So the first thing that happens is, that privacyIDEA realizes, “that the user has no tokens assigned”.
It then tries, if passthru would be possible, while it is not (with wrong credentials)
So it sticks with the initial error message, which was misleading it this case.

Interesting enough we only add the passthru policy to the audit log, if passthru was successful.
Which is misleading in this case. I think the idea behind this was, that in case of a wrong password “passthru” did not happen, so we did not add it.
I need to check with the behaviour in other cases.